Monday Briefing: Hacks, Public Companies and the SEC

Patterson Belknap Webb & Tyler LLP
Contact
LinkedIn
Facebook
X
Send
Embed

With the U.S. Securities and Exchange Commission’s updated cybersecurity guidance hot off the press, let’s start the week by taking a look at public company cyberattack reporting statistics.

In 2017, there were 4,732 cyberattacks on American businesses, according to the Privacy Rights Clearinghouse. That figure includes private companies so it’s only a rough guidepost for the overall magnitude of last year’s breaches.

During the same time, only 24 public companies reported data breaches to the SEC, according to Audit Analytics, a research firm that tracks securities filings. Audit Analytics also found that 64 public companies suffered a data breach in 2017. That means only 37% of public companies experiencing a breach last year reported it to the SEC.

Over a longer time frame, the statistics are similar. Since 2011 – when the SEC issued its initial cybersecurity guidance for public companies – only 106 companies have reported data security incidents to the SEC. Over the same seven-year period, there were 342 hacks of public companies.

That translates into only 30 percent of public company data breaches being reported in SEC filings. This disparity might be due to numerous factors including whether the breach was deemed material by the company or a general reluctance to make such events public. More research is needed to get to a definitive answer.

And how do public companies disclose breaches?  It varies.

In some cases, data breaches are disclosed in the risk factor section of a company’s annual Form 10K filing or annual report or in its discussion of internal controls. In other cases, breach disclosures are made in financial statement footnotes especially if the costs associated with the breach are expected to be material or if significant litigation or regulatory has been commenced. Breach disclosures are also made in quarterly filings or on a Form8K issued to disclose the breach.

For a more detailed explanation of the Commission’s updated cybersecurity guidance, click here to see our Client Alert. And for a more in-depth perspective on the dilemma public companies face in deciding if and when to report a cyberattack, click here to read my New York Times piece that discusses the “tension between the need for discreet cooperation with law enforcement and the obligation to information investors and the markets.”

We’ll continue to monitor this important area.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Patterson Belknap Webb & Tyler LLP | Attorney Advertising

Written by:

Patterson Belknap Webb & Tyler LLP
Patterson Belknap Webb & Tyler LLP
Contact
more
less

Patterson Belknap Webb & Tyler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide